Special – SANS Online Digital Forensics and Incident Response Courses

FOR408: Computer Forensic Investigations – Windows In-Depth

Mar 18, 2013 – Apr 24, 2013 w/Ovie Carroll

http://www.sans.org/vlive/details/for408-mar-2013-ovie-carroll

 FOR508: Advanced Computer Forensic Analysis and Incident Response

Mar 19, 2013 – Apr 25, 2013 w/  Chad Tilbury & Alissa Torres

http://www.sans.org/vlive/details/for508-mar-2013-chad-tilbury

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Mar 28, 2013 – Apr 29, 2013 w/  Lenny Zeltser & Jake Williams

http://www.sans.org/vlive/details/for610-mar-2013-lenny-zeltser

15% off all Online Forensic Courses

Discount Code: 0124_FOR15

To learn more about the 15% discount on online forensic classes, visit

http://www.sans.org/online-security-training/specials

Discount is valid through February 20, 2013

Course Review: Course Review: SANS FOR408 Computer Forensic Investigations – Windows In-Depth

There is a brand new course review posted over at The Ethical Hacker Network discussing FOR408 Windows Forensics In-Depth authored by Ovie Carroll, Rob Lee, and Chad Tilbury.   The reviewer, Jason Andress, discusses the course section by section.  Jason took the course in the popular vLive format that SANS offers.  Take a look.

 

Windows Memory Analysis In-Depth Course Launch #DFIR

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. In 2013, SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer and developer Jesse Kornblum, is incredibly comprehensive and SANS is proud to offer it as a brand new class in the SANS Digital Forensics and Incident Response lineup.  Jesse, a pioneer who wrote many of the leading edge forensics tools contributed to dcfldd, foremost, md5deep, and ssdeep.  Jesse also wrote the paper “Using Every Part of the Buffalo in Windows Memory Analysis” in 2007 when memory forensics was just beginning in addition to contributing code and helping author many commercial and open source memory forensic projects over the years.  We are very excited to have Jesse develop this in-depth course on windows memory forensics and join the SANS DFIR  instructor team.

“Jesse was a phenomenal instructor!”  -Matt Howard, NCDOC – FOR526 BETA class

“This is the best SANS course I have taken so far and Jesse was by far the best instructor.  I hope to take more classes with him in the future.”  –Jonathan Hinson, -FOR526 BETA class

Windows Memory Forensics In-Depth

FOR526 – Windows Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.

Malware can hide, but it must run — The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 – Windows Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.

For the upcoming schedule of FOR526 – Windows Memory Forensics In-Depth please click here.

 

Brand New – Windows Memory Analysis In-Depth – Course Launch

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today. In 2013, SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics. The hands-on course, written by memory forensics pioneer and developer Jesse Kornblum, is incredibly comprehensive and SANS is proud to offer it as a brand new class in the SANS Digital Forensics and Incident Response lineup.  Jesse, a pioneer who wrote many of the leading edge forensics tools contributed to dcfldd, foremost, md5deep, and ssdeep.  Jesse also wrote the paper “Using Every Part of the Buffalo in Windows Memory Analysis” in 2007 when memory forensics was just beginning in addition to contributing code and helping author many commercial and open source memory forensic projects over the years.  We are very excited to have Jesse develop this in-depth course on windows memory forensics and join the SANS DFIR  instructor team.

“Jesse was a phenomenal instructor!”  -Matt Howard, NCDOC – FOR526 BETA class

“This is the best SANS course I have taken so far and Jesse was by far the best instructor.  I hope to take more classes with him in the future.”  –Jonathan Hinson, -FOR526 BETA class

Windows Memory Forensics In-Depth

FOR526 – Windows Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.

Malware can hide, but it must run — The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 – Windows Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.

For the upcoming schedule of FOR526 – Windows Memory Forensics In-Depth please click here.

 

SANS Digital Forensics and Incident Response Summit – Call For Papers – Closing Soon

Dates:
Summit Dates: – July 9-10, 2013
Post-Summit Course Dates: July 11-16, 2013
Summit Venue:
Omni Hotel Downtown Austin
700 San Jacinto @ 8th Street
Austin, TX 78701
Phone:             (512) 476-3700
Fax: (512) 397-4888
Omni Hotel

The 6th annual Forensics and Incident Response Summit will again be held in the live musical capital of the world, Austin, Texas. The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. The 2013 theme is currently in development as the digital forensics and incident response community is constantly evolving and our content promises to be cutting-edge and relevant to ensure you will be able to utilize the ideas presented when you return to your organization.

Call for Speakers – Now Open

The 6th annual Forensics and Incident Response Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel we are looking for user-presented case studies with communicable lessons.

The Forensics Summit offers speakers opportunities for exposure and recognition as an industry leader. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Benefits of Speaking
  • Promotion of your speaking session and company recognition via the Forensic conference website and all printed materials
  • Visibility via the Forensic post-conference presentation email link for many months following the conference
  • Full conference badge to attend all Summit sessions
  • Private speaker lunch
  • *Speakers may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).
Submission Guidelines
  • Title
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
    • Your biography should be approximately 160 words. You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Abstract
    • The presentation abstract should outline your presentation and what attendees will learn. All content must be strictly educational. The presentation should be relevant to: Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.
  • Session/panel length: 60 minutes
  • Presentation: 50-55 minutes
  • Question & Answer: 5-10 minutes

Submit your submissions to  callforpapers@sans.org by January 18, 2013 with the subject “SANS DFIR Summit CFP 2013.”

Get a MacBook Air, Toshiba Portege Ultrabook, or $850 Savings with SANS Online Training

The SANS Institute is providing your choice of a MacBook Air, Toshiba Portege Ultrabook, or $850 discount to students who register and pay for a qualifying* SANS vLive or OnDemand course by 11/28/12.

Note:  A SANS FOR508 – vlive – starts Nov 13 taught by Rob Lee, Chad Tilbury, and Alissa Torres.  Sign up now! 

1108_TOSH (Toshiba Portege Ultrabook)
CODE = 1108_TOSH (Toshiba Portege Ultrabook)
1108_MAC (MacBook Air)
CODE = 1108_MAC (MacBook Air)

 

 

To take advantage of this offer, enter one of the following discount codes at checkout:

CODE = 1108_MAC   (for MacBook Air) 
CODE = 1108_TOSH   (for Toshiba Portege Ultrabook) 
CODE = 1108_850   (for $850 Discount)

Qualifying vLive courses include:

Qualifying OnDemand courses include:

TERMS & CONDITIONS

11″ MacBook Air Specifications:

  • 1.7GHz dual-core Intel Core i5
  • OS X Mountain Lion
  • 4 GB RAM
  • 64GB flash storage

13.3″ Toshiba Portege Ultrabook Z935-P300 Specifications:

  • 1.7GHz dual-core Intel Core i5
  • Windows 7 Home Premium 64-bit
  • 4 GB RAM
  • 128 GB SSD

MacBook Air and Toshiba Portege Ultrabook offer is only available to individuals in the United States or Canada. Allow up to 4 weeks for MacBook Air or Toshiba Portege Ultrabook delivery. Canada customers are responsible for paying any applicable duties, taxes or customs fees.

If you live outside of the US and Canada, or if you simply prefer a cash discount, you can take $850 off any qualifying course instead! Just enter Discount Code 1108_850 when you check out.

MacBook Air is a trademark of Apple Inc., registered in the U.S. and other countries.

Toshiba is a registered trademark of Toshiba Corporation., registered in the U.S. and other countries. Ultrabook is a trademark of Intel Corporation., registered in the U.S. and other countries.

FTK 4 Added to SANS FOR408 Windows Forensics Training Course

We are pleased to report the successful introduction of Access Data’s Forensic Toolkit (FTK) v4 into the SANS FOR408 Course (Computer Forensic Investigations – Windows In-Depth).  While students have access to well over a hundred free and open source tools during the course, we also felt it important for them to gain an understanding of the capabilities of commercial tool suites.  There is no one tool that can accomplish everything during a forensic examination, but in many cases a forensic suite can greatly speed up case processing and analysis.  Hence, commercial tools like Guidance EnCase, Magnet Forensics Internet Evidence Finder, and Access Data FTK are all part of the curriculum.

FTK 4 and Virtual Machines

FTK4 and SIFT Workstation

Students in the class receive the SANS Windows SIFT Workstation — a Windows 7 virtual machine pre-configured with a wide variety of Windows-based forensic tools.  Previous FTK users know a historical limitation of running FTK on mobile workstations was the significant resources required by the back-end Oracle database.  This limitation was mitigated with the introduction of the Postgres database in FTK v4.  With multiple classes now having used FTK v4, we have witnessed it operating with as little as 1GB of memory and 1 processor core allocated to the Windows 7 virtual machine.  Note: This is NOT our recommended configuration, and additional memory and processors significantly increase performance.  In short, it is clear that the prevalence of quad-core systems and inexpensive RAM makes FTK 4 a very viable solution on modern mobile workstations.

While the purpose of the FOR408 course is to teach core forensic concepts, working with the latest tools ensures students can immediately apply what they learn when they return to their organizations.  You can find more information on the course here.

New Advanced Persistent Threat Based – FOR508 Released in On-Demand

It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don’t ask us how we know, but you should probably check out several of your systems. You are compromised by the APT. 

Most organizations are left speechless as 90% of all intrusions are now discovered due to 3rd party notification. And in many cases, the APT has been on your network for years.

Learn how to hunt for the APT in this completely brand new training course from SANS – FOR508: Advanced Incident Response and Forensics Course.

The NEW FOR508 APT-based course debuted at SANS Security West this May 2012 to some amazing feedback and reviews. The course, almost completely rewritten from scratch (80% new material), focuses on training incident response teams to learn how to hunt down and counter the APT in their networks. Most organizations simply cannot detect and respond to the APT. Using direct knowledge of how the APT operates, we have set up a training environment that will take each student through a scenario that many in the class, who had worked APT cases, said were “dead on” in accuracy and capability for what these adversaries are able to accomplish.

I hope you consider taking the new FOR508 this year. If your network has been compromised by the APT and you need to train more hunters to find them, this course is specifically designed for your incident response and digital forensic teams. Sign up early to guarantee a seat at the next training event.

The course outline and registration location is posted here: http://computer-forensics.sans.org/info/111225

Upcoming Events List: http://computer-forensics.sans.org/info/111230

The course core feature is the APT scenario that took over a year to build. The scenario is extremely detailed, and many in the class who had experience working APT cases said that they felt they were responding to APT-compromised networks. To gain some knowledge as to the extensive careful attention to detail we took to engineer the network and breach, I recommend reading this blog: Is A/V Really Dead? – http://computer-forensics.sans.org/info/111235

Each incident responder/forensicator who attends the course will:
  • Detect unknown live malware and dormant malware in memory across multiple machines in an enterprise environment – Find beacon malware over port 80 that the APT used to access their C2 channel
  • Identify how the breach originally occurred by identifying the beach head and spear phishing attack – Target hidden and time-stomped malware and utility-ware that the APT uses to move in your network and maintain their presences
  • Use memory analysis and forensics using the SIFT Workstation to detect hidden processes, malware, network connections, and more
  • Track the activity of APT second by second on the system you are analyzing through in-depth timeline analysis
  • Recover data cleared through anti-forensic techniques used by the APT via Volume Shadow Copy and Restore Point analysis
  • Discover which systems the APT laterally moved to in your enterprise and how they transitioned from system to system easily without being detected
  • Understand how the APT was able to acquire domain admin rights in a locked down environment
  • Track the APT as they collect critical data and shift it over to a staging system
  • Recover rar files that the APT exfiltrated from the enterprise network
Full review and write up by David Nides, KPMG – http://davnads.blogspot.com/2012/07/sans-dfir-sumitt-forensic4cast-award-my.html
Press Articles about the new FOR508 course:

CSO ONLINE:  Advanced Persistent Threats can be beaten, says expert Detection is key, but how you respond to APTs is equally important 

SECURITY BISTRO:  Understanding and defeating APT, Part 1: Waking up to the who and why behind APT

SECURITY BISTRO:  Understanding and defeating APT, Part 2: Fighting the ‘forever war’ against implacable foes

Some student reviews from the new FOR508 course:

I was surprised and amazed at how easy it is to do memory analysis and how helpful it is.” – Brian Dugay, Apple

The examples in the course relate to what I need to know to deal with real world threats.” – Tim Weaver, Digital Mtn. Inc.

The level of detail is amazing. The methodology is clearly effective at finding pertinent artifacts.” – no name

REGISTER NOW FOR THE NEW FOR508 – LEARN HOW TO DETECT AND RESPOND TO THE APT

The brand new FOR508 is now available in On-Demand.  — http://www.sans.org/ondemand/course/for508-advanced-computer-forensic-analysis-incident-response

Save 20% on OnDemand Classes

Through August 22, 2012, SANS invites you to save 20% on all OnDemand courses. Save money and learn from SANS’ top instructors without leaving home!

To take advantage of this offer, enter 0724_20 in the Discount Code field when you register for a OnDemand course.

Advanced Persistent Threats Can Be Beaten

Reprinted from http://www.csoonline.com/article/709239/advanced-persistent-threats-can-be-beaten-says-expert

Advanced persistent threats can be beaten, says expert

Detection is key, but how you respond to APTs is equally important

By 

August 06, 2012 — CSO — Officially, advanced persistent threats (APTs) from China are not even happening. But everybody in information security, especially those trying to protect enterprises from economic espionage, knows that APTs, typically originating in China, are a fact of life in the cyber world, government denials notwithstanding.

As Rob Lee, of the SANS Institute, describes it in a blog post: “It begins on Day 0: A 3-4 letter government agency contacts your organization about some data that was found at another location. Don’t ask us how we know, but you should probably check out several of your systems including 10.3.58.7. You are compromised by the APT.”

But, Lee insists that while the enemies are good and keep getting better, “we can stop them.”

Lee, an entrepreneur and consultant with an Air Force intelligence and law enforcement background, has developed a curriculum for a six-day SANS Advanced Computer Forensic Analysis and Incident Response Course. He said the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.

More than 90% of intrusions aren’t even discovered by the victims themselves, but through third-party notification. In many cases, the APT has been on the victim network for months or even years, exfiltrating intellectual property data plus economic and political information.

And detection is only half the problem, Lee said. “The second half is that now that you’re a victim, how do you respond? What we’ve been trained to do doesn’t match what you should do on the ground. You can actually make it worse,” he said.

A company that is notified, or finds, that it has been breached and reacts immediately to shut down an intruder will notify that intruder, who may then be able to make changes in its code in other areas of the enterprise and remain hidden. “If you act too soon, you lose the chance to do some forensics, and your adversary will make the problem worse,” Lee said.

This is one of the techniques Lee said he teaches in the course, which he is running this week in Austin, Texas, and will present starting July 5 at SANSFIRE in Washington, D.C.

The course, he said, is an effort to keep IT professionals from fighting the last war. It is now generally accepted that perimeter defenses are no longer effective, and that “weeds” are going to get into the enterprise garden. “It starts with an acceptance that weeds will happen,” he said. “This is about building an IR (Incident Response) team so if a weed pops up, you aggressively counter it.”

Ironically, an IR team can improve its detection capability by first being a victim of an attack, and not reacting too quickly. “You need to be a victim first, and that can help you not to be a victim again,” he said.

While the gut response would be to eliminate the attacker’s access immediately, Lee said there is much more to be gained by collecting threat intelligence. “If you get a call from the FBI, instead of reacting immediately with an antivirus, do a memory analysis,” he said. “If you’ve been told to look for something on this IP address, start with your ‘day zero machine’ and look for any others that have that same signature. Scan though your environment to find other compromised code.”

Once a company has been hit with an APT, it will be hit again, Lee said, but the good news for enterprises is that with good threat intelligence, there is something to fight back with. “You can predict the future based on the past,” he said. “The enemy can’t change all his techniques, and once you’ve learned about your adversary, you can deal better with the oncoming waves of attacks.”

Threat intelligence becomes easier for an IR team once its members are trained in looking for indicators, Lee said. “It’s looking for things that are slightly different, like everybody on the train looking the same except for the guy with the red tie. Or a cop on a beat, who can recognize from experience when something is out of place.”

And a reverse-engineering team can provide threat intelligence that can create a signature and possibly decode traffic. “You might even be able to do host monitoring,” Lee said.

Saad Kadhi, CTO of HAPIS, a French information security company, is one of the students in the current course in Austin. He said it has exceeded his expectations, calling it “a real eye-opener.”

But he said to achieve significant results will take not only the expertise he is learning, “but the right tools, which means support from management. There has to be a dedicated team for this,” he said. “A new methodology won’t help if you don’t know how to use it.”

Read more about malware/cybercrime in CSOonline’s Malware/Cybercrime section.

Other stories by Taylor Armerding

BRAND NEW #DFIR COURSE – Windows Memory Forensics In-Depth

Memory analysis skills are one of the most in-demand skills for digital forensics, incident response, and malware analysts today.  This August, SANS is introducing a brand new 5-day class dedicated to Windows Memory Forensics.  The hands-on course, written by memory forensics pioneer Jesse Kornblum, is incredibly comprehensive and SANS is proud to offer it in the DC area as a beta preview course.

There are numerous benefits to taking the class early.  First, you get to see the new material before anyone else.  Second, the course is heavily discounted for the beta preview class so we can get feedback and fix anything in the course prior to the official release later this year.  Having been to SANS events previously, we wanted to specifically invite you to attend this preview and see the new material before anyone else.

Washington D.C. – Metro Accessible

Aug 27th – 31th, 2012

 https://www.sans.org/for526-beta-2012/description.php?tid=5355

Windows Memory Forensics In-Depth

Malware can hide, but it must run — The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 – Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.

We hope that you will consider attending the special preview course at the end of August in Washington D.C.  This class is capped in size to keep the numbers intentionally low during the beta preview.  If you plan to attend, consider signing up immediately.

Register early.  During the beta run of the course, it will be listed at 1/2 price.  We recommend you take advantage of this special offer to see the course before anyone else.  Seats are truly limited.  Consider signing up soon to guarantee a spot.

 https://www.sans.org/for526-beta-2012/description.php?tid=5355